Category: GPO

You have to deploy SCCM a well controlled and step by step. You want to use (automatic) push installation.

This can be done by putting the PCs you want into AD-groups and throw some GPOs at them, to add an ConfigMgrPush Account to local admins for example.

Then Active Directory Group Discovery has to be set up to discover items in the selected AD-Group.

Now, when you put in a PC to this AD-Group, it will be discovered in a short time (5 Minutes in standard delta discovery settings).

After discovery, SCCM will try to push the client to the new PCs but it fails, because the ConfigMgr push account is not a local admin. This happens, because a reboot is needed for the PC to be aware of new group memberships and applying the GPO.

If you ever tested stuff that is based on AD-Groups for Computers – like GPO Software deployment – you have experienced that the PC “knows” its new group membership only after a reboot or after seven days of waiting….

After searching a while I found a way to get membership changes without reboot:

Open a command promt in the system user context and purge the kerberos tickets to get new ones, e.g. with the great tool psexec :